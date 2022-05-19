The use of ITG23 crypters with Emotet and IcedID malware is the latest evidence of a close relationship with these groups that has featured distributing each other’s malware and cooperating on malware development. Emotet first appeared in 2014 as a banking trojan and later emerged as a prominent downloader for other banking trojans, including IcedID, Qakbot, and Trickbot. IcedID, also known as Bokbot and often referred to by ITG23 as Anubis, is a banking trojan first discovered by X-Force in September 2017. Since that time IcedID — like many banking trojans — has evolved to include backdoor and data harvesting capabilities and is often used as a downloader for other malware, including Cobalt Strike and ransomware.

Emotet: ITG23 and the Emotet group have a history of seeding each other’s malware. ITG23 has used Emotet extensively to deliver Trickbot malware often leading to the notorious Emotet -> Trickbot -> Ryuk ransomware attack sequence. Following actions to disrupt Trickbot group operations in fall 2020, Emotet moved quickly to assist ITG23’s recovery by downloading Trickbot malware to infected machines. A year later, ITG23 returned the favor by seeding Emotet samples to facilitate Emotet’s return following the January 2021 international law enforcement operation against the group.

The presence of “Veron” aka “Mors” participating in conversations with ITG23 members in the leaked chats also points to ITG23’s close cooperation with Emotet. Historically, “mors” was a gtag used with Trickbot samples delivered by Emotet. Based on the conversations, Veron/Mors appears to be a liaison to ITG23 for Emotet related matters. Veron/Mors also seemed to work with the crypting team, and messages can be found from Bentley which discuss crypting files for Veron. Bentley sent the following messages to Veron and Stern between February and May 2021 possibly related to crypting Emotet samples for testing purposes before Emotet’s reappearance in November:

February 24, 2021:<br /> Stern → Bentley: veron запустился? (Veron started?)<br /> Bentley → Stern: Он начинает в марте. Работаем над криптами для него. наших криптора<br /> (He starts in March. We're working over the crypters for him. Our crypters)

March 1, 2021:<br /> Stern → Bentley: veron не начал еще? (Veron hasn't started yet?)<br /> Bentley → Stern: Првиет. Еще не начанал. Сделали годеый крипт его длл. Ждем как даст полную версию со всеми ньюансами<br /> (Hi. Not started yet. Made a suitable crypter for his dll. We're waiting for a full version with all the nuances.)

May 5, 2021<br /> Bentley → Veron: Можешь дать длл на крипт? Пока можем начать криптовать и готовить стабы<br /> (Can you give a dll for the crypt? For now, we can start to crypt and prepare stubs)

Messages between Veron and Stern in May 2021 seem to suggest that the return of Emotet may have been delayed due a need to rewrite parts of the code for security purposes.

May 18, 2021:<br /> Stern → Veron: привет. когда стартуем?<br /> (Hi, when are we starting?)<br /> Veron → Stern: привет, я скажу когда точно, в ближайшее время уже, делаю чтобы не взломали<br /> (Hello, I'll tell you exactly when, in the near future already, I'm doing it so that they don't get hacked)

May 24, 2021:<br /> Veron → Stern: привет, сорри, что задерживаем, но надо переписать часть, я за безопасность<br /> напиши как будешь, если вопросы есть<br /> (hello, sorry for the delay, but we need to rewrite part, I'm for security<br /> let me know if you have any questions)

IcedID: The first evidence of ITG23’s cooperation with the IcedID group appeared in May 2018 when security researchers observed IcedID downloading Trickbot malware. Several months later other researchers noted Trickbot returning the gesture and downloading an updated IcedID variant that incorporated features used with Trickbot samples, suggesting that the two groups also collaborated on development. In early 2019, other analysts observed IcedID using a custom Trickbot shareDLL module to download core Trickbot malware. These researchers a month later described a new Trickbot proxy module for man-in-the-middle (MITM) attacks against web browsers that was highly similar to the IcedID proxy module. A Trickbot module named anubisDll32 was also developed containing the IcedID core code. In November 2021, X-Force and other researchers observed multiple campaigns during which BazarLoader was used to download IcedID malware.

ITG23’s leaked chats provide additional insight into ITG23’s close relationship with IcedID, although the exact nature of this relationship remains unclear. On May 1, 2021, Stern congratulates “Leo” on his “cool bot IcedID” for gaining the attention of security researchers, revealing that Leo is likely affiliated with the IcedID group.

Stern → Leo: а твой крутой бот ICEDld<br /> (and your cool ICEDId bot)<br /> Stern → Leo: про него пишут исследователи<br /> (researchers write about it)<br /> Stern → Leo: что ты сейчас на первом месте<br /> (that you're in the first place)

The leaked chats often refer to a “Project Leo”, which we assess is a reference to IcedID. Bentley regularly provides Mango with updates on crypting related to “Project Leo” and in November 2021, Stern messaged the following instruction to Bentley: